[Pkg-sssd-devel] Bug#1001377: sssd-dbus: sssd_ifp messes up existing /var/log/sssd/p11_child.log permissions
Martin Pitt
mpitt at debian.org
Thu Dec 9 10:32:15 GMT 2021
Control: retitle -1 pam_sss messes up existing /var/log/sssd/p11_child.log permissions
Control: reassign -1 libpam-sss 2.6.1-1
Control: severity -1 important
Turns out this is both much simpler to reproduce and also much more severe --
one doesn't actually need all the certificate setup and
FindByValidCertificate() stuff -- that's just one of the "natural" ways (aside
from direct smart card login through PAM on the console) how
/var/log/sssd/p11_child.log would be created.
However, it is entirely sufficient to simply create an empty file, and then
doing any login with pam_sss being active (i.e. having sssd running with a
trivial config).
Updated and simplified reproducer attached. The gist is
- touch /var/log/sssd/p11_child.log
- log into the machine
→ /var/log/sssd/p11_child.log permissions broken
Thanks,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: repr2.sh
Type: application/x-sh
Size: 962 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20211209/738ecec5/attachment.sh>
More information about the Pkg-sssd-devel
mailing list